Organic SEO Blog

Monday, August 19, 2013

Hacking assaults on media sites intensify

SEATTLE — Middle Eastern hackers infiltrated a popular Internet news delivery service, giving them possible access to some of the largest U.S. news sites on Thursday.

An online group called The Syrian Electronic Army, representing supporters of Syrian President Bashar al-Assad, hacked the Internet service of Outbrain, a content recommendation company whose software "widget" is embedded in the websites of several major publications.

As a result, the websites operated by three Outbrain clients — The Washington Post, Time and CNN — contained messages that referred to the SEA.

USA TODAY is also an Outbrain client, but its site was not affected.

That development — combined with the hack of the Twitter accounts of several New York Post reporters on Tuesday and the website outage of The New York Times on Wednesday — is being viewed by some security experts as evidence that major U.S. news outlets have now emerged as prime targets for nation-state adversaries of the U.S.

The New York Times attributed its outage to a server problem.

"It's starting to look like there's an organized campaign targeting major U.S. media outlets," says Tom Kellermann, Trend Micro's vice president of cybersecurity. "It's not clear whether their end game is to target reporters' sources or to use the news sites as watering holes (to infect patrons.)"

In a statement, Emilio Garcia-Ruiz, managing editor of The Washington Post, confirmed that "some articles on our website were re-directed to the Syrian Electronic Army's site for a period of about 30 minutes" Thursday morning.

Garcia-Ruiz pointed out a tweet by SEA that claimed it used Outbrain as a vehicle for the attack. "We have taken defensive measures and removed the offending module," Garcia-Ruiz wrote. "At this time, we believe there are no other issues affecting the site."

A few days ago, Post newsroom employees were targets of a phishing attack that was allegedly by the Syrian Electronic Army, Garcia-Ruiz said. "The attack resulted in one staff writer's personal account being used to send out a Syrian Electronic Army message," he said.

CNN also confirmed Thursday that an Outbrain headline widget used by its international website, CNNi.com, ran headlines referring to SEA. The widget was subsequently removed. Its main website, CNN.com, was not affected, the company said.

"The security of a vendor plug-in that appeared on CNNi.com was briefly compromised today. The issue was quickly identified and (the) plug-in disabled," said CNN spokesman Matt Dornic.

In a statement, Time Inc. said "content provided by Outbrain that appeared on some of our sites was impacted by the hacking activity at Outbrain. We're no longer running that content."

Outbrain issued this statement: "We are aware that Outbrain was hacked earlier today. In an effort to protect our publishers and readers, we took down service as soon as it was apparent. The breach now seems to be secured and the hackers blocked out, but we are keeping the service down for a little longer until we can be sure it's safe to turn it back on securely. We are working hard to prevent future attacks of this nature."

Gunter Ollmann, chief technology officer at computer security firm IOActive, observes that as websites continue to embed content streams from third parties and other affiliates, "this type of hack can taint many of the more secure and popular sites on the Internet."

Starting last fall, U.S. financial institutions have been hit by three waves of massive denial-of-services attacks, shutting down their consumer websites for extended periods, despite heavy investments in security technology. An Islamic group claimed responsibility. Experts say that those outages may have helped cover large-scale hijacking of funds from online accounts.

"Now we're seeing our geopolitical adversaries moving on to wage a campaign against major U.S. media outlets," says Kellermann. "The U.S. military cannot protect private corporations from these types of attacks. So targeting media is a cultural vulnerability being exploited by the enemies of the U.S. The irony is that we believe in freedom of speech. Our enemies are showing they can control that."

Embedding software from partner vendors is a common practice for media websites. That innovation poses potential dangers for U.S. media companies, as it exposes a vast security weakness intrinsic to the loose-knit trust relationships on which online promotions and advertising has been built.

Third-party partnerships to promote content and direct advertising to specific audiences support the multibillion-dollar online advertising industry. This Internet-enabled collaborative effort to match your Web-surfing habits to things you might buy is wide open to the spreading of malicious coding, experts say.

"From a hacker's perspective, this represents a (form of) soft attack for compromising high value and prestige websites — and we can expect them to be targeted with increased vigor over the next few years," Ollmann said.

The SEA clearly took pains to analyze the supply chain partners of the media giants. And with a bit more digging, anyone can discover which of the thousands of smaller ad networks and third-party affiliates, such as Outbrain, are looped in.

"You can go through and see which are the most vulnerable and which ones have the highest presence on the most news media sites," says Darien Kindlund, manager of threat intelligence at network security firm FireEye. "If I were a large media organization, I'd want to review all of the trust relationships I have with ad partners and make sure none of them are vulnerable in the same way as Outbrain."